ES2552675A1 - Routing method with security and authentication at the frame level (Machine-translation by Google Translate, not legally binding) - Google Patents
Routing method with security and authentication at the frame level (Machine-translation by Google Translate, not legally binding) Download PDFInfo
- Publication number
- ES2552675A1 ES2552675A1 ES201430822A ES201430822A ES2552675A1 ES 2552675 A1 ES2552675 A1 ES 2552675A1 ES 201430822 A ES201430822 A ES 201430822A ES 201430822 A ES201430822 A ES 201430822A ES 2552675 A1 ES2552675 A1 ES 2552675A1
- Authority
- ES
- Spain
- Prior art keywords
- access
- user
- addresses
- network
- mac address
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F16/00—Information retrieval; Database structures therefor; File system structures therefor
- G06F16/20—Information retrieval; Database structures therefor; File system structures therefor of structured data, e.g. relational data
- G06F16/22—Indexing; Data structures therefor; Storage structures
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/30—Authentication, i.e. establishing the identity or authorisation of security principals
- G06F21/44—Program or device authentication
-
- G—PHYSICS
- G06—COMPUTING; CALCULATING OR COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F21/00—Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
- G06F21/60—Protecting data
- G06F21/62—Protecting access to data via a platform, e.g. using keys or access control rules
- G06F21/6218—Protecting access to data via a platform, e.g. using keys or access control rules to a system of files or objects, e.g. local or distributed file system or database
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L49/00—Packet switching elements
- H04L49/20—Support for services
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
- H04L61/5014—Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0227—Filtering policies
- H04L63/0236—Filtering by address, protocol, port number or service, e.g. IP-address or URL
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/107—Network architectures or network communication protocols for network security for controlling access to devices or network resources wherein the security policies are location-dependent, e.g. entities privileges depend on current location or allowing specific operations only from locally connected terminals
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1408—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic by monitoring network traffic
- H04L63/1416—Event detection, e.g. attack signature detection
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/145—Countermeasures against malicious traffic the attack involving the propagation of malware through the network, e.g. viruses, trojans or worms
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/14—Network architectures or network communication protocols for network security for detecting or protecting against malicious traffic
- H04L63/1441—Countermeasures against malicious traffic
- H04L63/1458—Denial of Service
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/162—Implementing security features at a particular protocol layer at the data link layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/01—Protocols
- H04L67/02—Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/163—In-band adaptation of TCP data exchange; In-band control procedures
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/168—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP] specially adapted for link layer protocols, e.g. asynchronous transfer mode [ATM], synchronous optical network [SONET] or point-to-point protocol [PPP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/326—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the transport layer [OSI layer 4]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/622—Layer-2 addresses, e.g. medium access control [MAC] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/30—Definitions, standards or architectural aspects of layered protocol stacks
- H04L69/32—Architecture of open systems interconnection [OSI] 7-layer type protocol stacks, e.g. the interfaces between the data link level and the physical level
- H04L69/322—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions
- H04L69/324—Intralayer communication protocols among peer entities or protocol data unit [PDU] definitions in the data link layer [OSI layer 2], e.g. HDLC
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- General Physics & Mathematics (AREA)
- Software Systems (AREA)
- Physics & Mathematics (AREA)
- Power Engineering (AREA)
- Databases & Information Systems (AREA)
- Health & Medical Sciences (AREA)
- General Health & Medical Sciences (AREA)
- Data Mining & Analysis (AREA)
- Virology (AREA)
- Bioethics (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
- Computer And Data Communications (AREA)
Abstract
Description
METODO DE ENRUTAMIENTO CON SEGURIDAD Y AUTENTIFICACION A NIVEL DEMETHOD OF ROUTING WITH SAFETY AND AUTHENTICATION AT LEVEL OF
TRAMASFRAMES
D E S C R I P C I O ND E S C R I P C I O N
55
OBJETO DE LA INVENCIONOBJECT OF THE INVENTION
La presente invention da a conocer un metodo de enrutamiento de senales en una red de datos. Mas espetificamente, la presente invencion da a conocer un metodo de enrutamiento 10 que incorpora mejoras de seguridad a nivel de tramas (capa 2 del modelo OSI, por las siglas de la expresion inglesa "Open System Interconnection”, en espanol "Sistema de Interconexion Abierto”).The present invention discloses a method of routing signals in a data network. More specifically, the present invention discloses a routing method 10 that incorporates security improvements at the frame level (layer 2 of the OSI model, by the acronym of the English expression "Open System Interconnection", in Spanish "Open Interconnection System ").
ANTECEDENTES DE LA INVENCIONBACKGROUND OF THE INVENTION
15fifteen
Son conocidos en la tecnica diversos metodos de enrutamiento de senales e, incluso, algunos de dichos mecanismos incorporan complejos algoritmos de seguridad para que la interconexion entre los dispositivos de una red sea unicamente para los usuarios que deberian formar parte de la misma.Various methods of signal routing are known in the art and, even, some of said mechanisms incorporate complex security algorithms so that the interconnection between the devices of a network is only for the users who should be part of it.
20twenty
Habitualmente, dicha identification de usuarios se realiza a nivel de la capa 3 del modelo OSI, es decir, mediante direcciones IP (por las siglas de la expresion inglesa "Internet Protocol”, en espanol "Protocolo de Internet”) o en capas superiores a esta. Por tanto, los dispositivos encargados del enrutamiento y la previa identificacion de seguridad, deben contar con 25 dispositivos capaces de interpretar, como mmimo, datos a nivel de la capa 3 del modelo OSI.Usually, said user identification is carried out at the level of layer 3 of the OSI model, that is, by means of IP addresses (by the acronym of the English expression "Internet Protocol", in Spanish "Internet Protocol") or in layers higher than is. Therefore, the devices responsible for routing and prior security identification must have 25 devices capable of interpreting, at a minimum, data at the level of layer 3 of the OSI model.
Ademas, la identificacion a partir de direcciones IP resulta insuficiente para garantizar la identificacion de un usuario en cuanto a que cualquier usuario mediante un dispositivo cualquiera puede configurar su direction IP sin necesidad de tener un conocimiento extensivo 30 en redes de ordenadores. Esto hace que las direcciones IP sean facilmente suplantables.In addition, the identification from IP addresses is insufficient to guarantee the identification of a user in that any user through any device can configure their IP address without having extensive knowledge in computer networks. This makes IP addresses easily supplantable.
Para solucionar estos problemas de la tecnica anterior, se han desarrollado diversos metodos de comunicacion para mejorar la seguridad de los enrutadores existentes. En particular, el documento EP1170925 da a conocer un metodo de comunicacion entre dispositivos que utilizaTo solve these problems of the prior art, various communication methods have been developed to improve the security of existing routers. In particular, document EP1170925 discloses a method of communication between devices that it uses
vectores de acceso almacenados en una tabla de direcciones en el que los vectores comprenden datos indicativos de si la direccion MAC (por las siglas de la expresion en ingles "Media Access Control”, en espanol "Control de Acceso al Medio”) de un nodo puede comunicarse con la direccion MAC de otro. En definitiva, este documento da a conocer un 5 metodo que detecta si un nodo tiene permiso para enviar informacion a otro en base a las direcciones MAC de ambos nodos pero no da a conocer la posibilidad de utilizar estas direcciones MAC para acceder a una red determinada.access vectors stored in an address table in which the vectors comprise data indicative of whether the MAC address (for the acronym in English "Media Access Control") of a node You can communicate with the MAC address of another. In short, this document discloses a method that detects if a node has permission to send information to another based on the MAC addresses of both nodes but does not disclose the possibility of using these MAC addresses to access a particular network .
Por otra parte, el documento US8316438 da a conocer un sistema en el que un ordenador 10 personal, que dispone de una direccion MAC determinada, al enviar datos a un Gateway pasan por un adaptador de red que determina los permisos para transmision de informacion para dicho ordenador portatil y realiza el bloqueo de dicha senal o, por el contrario, permite la transferencia de datos. Por tanto, este documento da a conocer que es posible disponer de un adaptador de red intermedio de bajo coste que funciona en la capa 2 del modelo OSI para filtrar 15 la entrada de usuarios a la red. Sin embargo, entre otros problemas, la red requeriria la incorporation de multiples adaptadores de red para efectuar este filtrado y la configuration de un nuevo usuario requeriria reconfigurar todos los adaptadores de red del sistema, lo que hace que el sistema sea poco practico. Ademas, bastaria con hacerse con un ordenador cuya direccion MAC este incorporada en los adaptadores de red para acceder a la misma.On the other hand, document US8316438 discloses a system in which a personal computer 10, which has a specific MAC address, when sending data to a Gateway passes through a network adapter that determines the permissions for transmission of information for said portable computer and performs the blocking of said signal or, on the contrary, allows the transfer of data. Therefore, this document discloses that it is possible to have a low-cost intermediate network adapter that works in layer 2 of the OSI model to filter the entry of users to the network. However, among other problems, the network would require the incorporation of multiple network adapters to perform this filtering and the configuration of a new user would require reconfiguring all the network adapters in the system, which makes the system impractical. In addition, it would be enough to get a computer whose MAC address is incorporated into the network adapters to access it.
20twenty
DESCRIPCION DE LA INVENCIONDESCRIPTION OF THE INVENTION
Por tanto, existe una necesidad de incorporar un sistema de seguridad que, por una parte, represente un bajo coste computacional y, por otra, aumente la seguridad de las redes 25 bloqueando los usuarios no autorizados y permitiendo que dicha tabla de usuarios se pueda actualizar facilmente.Therefore, there is a need to incorporate a security system that, on the one hand, represents a low computational cost and, on the other, increases the security of networks 25 by blocking unauthorized users and allowing said user table to be updated. easily.
La presente invention da a conocer un metodo de enrutamiento que se puede incorporar en el enrutador mediante su firmware y que, al funcionar a nivel de la capa 2 del modelo OSI 30 representa un bajo coste computacional y permite mejorar ostensiblemente las prestaciones de los enrutadores actuales sin necesidad de modificar las redes existentes anadiendo nuevo hardware.The present invention discloses a routing method that can be incorporated into the router by means of its firmware and which, operating at the level of layer 2 of the OSI 30 model represents a low computational cost and allows to significantly improve the performance of current routers No need to modify existing networks by adding new hardware.
La presente invencion da a conocer un metodo de enrutamiento de senales en un enrutadorThe present invention discloses a method of signal routing in a router
55
1010
15fifteen
20twenty
2525
que comprende:which includes:
• medios de conexion a una serie de dispositivos;• means of connection to a series of devices;
• una tabla de direcciones de usuarios permitidos; y• a table of allowed user addresses; Y
• una tabla de autorizacion de usuarios;• a user authorization table;
en el que la tabla de direcciones de usuarios permitidos comprende direcciones MAC de dispositivos con permiso de acceso a la red, y en el que la tabla de autorizacion de usuarios comprende una serie de datos de identificacion de usuarios permitidos relacionados a, al menos una, direction MAC y que comprende las etapas de:in which the table of allowed user addresses comprises MAC addresses of devices with permission to access the network, and in which the user authorization table comprises a series of identification data of allowed users related to at least one, MAC address and comprising the steps of:
a) determinar la direccion MAC del dispositivo que se pretende conectar al enrutador;a) determine the MAC address of the device to be connected to the router;
b) identificar si la direccion MAC determinada en la etapa a) esta en la tabla de direcciones de usuarios permitidos; yb) identify if the MAC address determined in step a) is in the table of allowed user addresses; Y
c) otorgar un nivel de acceso a la red;c) grant a level of access to the network;
en el que si en la etapa b) se identifica que la direccion MAC esta en la tabla de direcciones de usuarios permitidos, se inicia una etapa b1) de lectura de los datos de identification de usuarios permitidos para dicha direccion MAC a partir de la tabla de autorizacion de usuarios y un etapa b2) de identificacion del usuario en la que se solicitan al dispositivo datos de identificacion de usuario y compara dichos datos de identificacion de usuario con los datos leidos en la etapa b1).in which if in step b) it is identified that the MAC address is in the table of allowed user addresses, a step b1) of reading the identification data of allowed users for said MAC address is started from the table of user authorization and a step b2) of user identification in which the user identification data is requested from the device and compares said user identification data with the data read in step b1).
En cuanto a los niveles de acceso, la presente invention contempla tres niveles principales: un primer nivel de denegacion de acceso en el que se impide completamente el acceso a la red; un segundo nivel de autorizacion parcial en el que se otorga acceso a, al menos, parte de la red, por ejemplo unicamente a intranet; y un tercer nivel en el que se otorga acceso total a la red. Sin embargo, en el ambito de la presente invencion se pueden incorporar otros tipos de niveles sin alejarse del ambito de protection de la presente invencion.As regards access levels, the present invention contemplates three main levels: a first level of access denial in which access to the network is completely prevented; a second level of partial authorization in which access to at least part of the network is granted, for example only to the intranet; and a third level in which full access to the network is granted. However, other types of levels may be incorporated within the scope of the present invention without departing from the scope of protection of the present invention.
Preferentemente, la presente invencion contempla que si, en la etapa b), se identifica que la direccion MAC no corresponde a ninguna de las direcciones de la tabla de direcciones de usuarios permitidos, en la etapa c) se deniega el acceso a la red.Preferably, the present invention contemplates that if, in step b), it is identified that the MAC address does not correspond to any of the addresses in the table of allowed user addresses, in step c) access to the network is denied.
Preferentemente, si en la etapa b) se identifica que la direccion MAC corresponde a una de las direcciones de la tabla de direcciones de usuarios permitidos y en la etapa b2) se identifica que datos de identificacion de usuario corresponden con uno de los datos de identificacion leidos enPreferably, if in step b) it is identified that the MAC address corresponds to one of the addresses in the table of allowed user addresses and in step b2) it is identified that user identification data corresponds to one of the identification data read in
la etapa b1), en la etapa c) se otorga acceso a, al menos, parte de la red.stage b1), in stage c) access to at least part of the network is granted.
Ademas, en el determinado caso en que la direction MAC del equipo no corresponda con ninguna de las direcciones dispuestas en la tabla de direcciones de usuarios permitidos o que 5 los datos de identification del usuario leidos en la etapa b1) no correspondan con los datos de identification de usuarios permitidos almacenados en la tabla de autorizacion de usuarios para la direccion MAC del usuario, en la etapa c) se otorga un acceso restringido a la red o, incluso, se podria denegar el acceso (2000) a la red.In addition, in the case in which the MAC address of the device does not correspond to any of the addresses provided in the table of allowed user addresses or that the user identification data read in step b1) does not correspond to the data of identification of allowed users stored in the user authorization table for the MAC address of the user, in step c) a restricted access to the network is granted or even access (2000) to the network could be denied.
10 En cuanto al acceso restringido a la red, este acceso restringido se puede interpretar, particularmente, como unicamente la reception de datos, unicamente el acceso a intranet (por ejemplo, para conectarse con impresoras, escaner, etc.) y/o unicamente para envio de datos sin recepcion de los mismos.10 With regard to restricted access to the network, this restricted access can be interpreted, in particular, as only the reception of data, only access to the intranet (for example, to connect to printers, scanners, etc.) and / or only to Sending data without receiving them.
15 Adicionalmente, el enrutador puede comprender una variable de control adicional que se basa en una tabla de restricciones y una etapa e) en la que para al menos uno de los usuarios de la tabla de autorizacion de usuarios, se disponen unas restricciones de acceso. Dichas restricciones pueden ser, por ejemplo, una restriction de acceso horario en las que, en la etapa c) se permite acceso a la red, una restriccion a paginas web en las que, en la etapa c) seAdditionally, the router may comprise an additional control variable that is based on a restriction table and a stage e) in which for at least one of the users of the user authorization table, access restrictions are provided. Such restrictions may be, for example, a restriction of hourly access in which, in stage c) access to the network is allowed, a restriction to web pages in which, in stage c)
20 deniega acceso a al menos una pagina web, una restriccion de protocolos, en la que en la etapa c) se deniega la comunicacion mediante, al menos un, protocolo (por ejemplo, el protocolo FTP, cuyas siglas provienen de la expresion en ingles "File Transfer Protocol”), una restriccion de puertos, en la que en la etapa c) se deniega la comunicacion mediante, al menos un, puerto, etc.20 denies access to at least one web page, a restriction of protocols, in which in stage c) communication is denied by at least one protocol (for example, the FTP protocol, whose acronym comes from the expression in English "File Transfer Protocol"), a restriction of ports, in which in stage c) the communication is denied by at least one port, etc.
2525
Por otra parte, la presente invention tambien se refiere a un enrutador que ejecuta un metodo de enrutamiento del tipo explicado anteriormente.On the other hand, the present invention also relates to a router that executes a routing method of the type explained above.
DESCRIPCION DE LOS DIBUJOSDESCRIPTION OF THE DRAWINGS
3030
Para complementar la description que se esta realizando y con objeto de ayudar a una mejor comprension de las caracteristicas de la invencion, de acuerdo con un ejemplo preferente de realization practica de la misma, se acompana como parte integrante de dicha descripcion, un juego de dibujos en donde con caracter ilustrativo y no limitativo, se ha representado loTo complement the description that is being made and in order to help a better understanding of the features of the invention, according to a preferred example of practical realization thereof, a set of drawings is accompanied as an integral part of said description. where, with an illustrative and non-limiting nature, the
siguiente:next:
La figura 1 muestra una vista esquematica de un flujo de comunicaciones en una realization preferente de la presente invention.Figure 1 shows a schematic view of a communication flow in a preferred embodiment of the present invention.
55
La figura 2 muestra un diagrama de flujo que indica el funcionamiento de un metodo de enrutamiento segun la presente invencion.Figure 2 shows a flow chart indicating the operation of a routing method according to the present invention.
REALIZACION PREFERENTE DE LA INVENCIONPREFERRED EMBODIMENT OF THE INVENTION
1010
La figura 1 muestra una realizacion preferente de la presente invencion. En particular, la figura 1 muestra una primera realizacion en la que el enrutador se encuentra conectado a una serie de dispositivos usuarios (101, 102, 103, 104), disponiendo cada uno de dichos dispositivos usuarios (101, 102, 103, 104) una direction MAC.Figure 1 shows a preferred embodiment of the present invention. In particular, Figure 1 shows a first embodiment in which the router is connected to a series of user devices (101, 102, 103, 104), each of said user devices (101, 102, 103, 104) a MAC address.
15fifteen
Inicialmente, el enrutador de la figura 1 detecta, en una primera etapa (1) la direccion MAC (10) del dispositivo activo (101), esto es, uno de los dispositivos de la serie de dispositivos usuarios (101, 102, 103, 104) que pretende hacer uso de la red. Posteriormente, en una segunda etapa (2) realiza una autorizacion de la direccion MAC (10) del dispositivo activo 20 (101), es decir, determina si la direccion MAC (10) de dicho dispositivo corresponde conInitially, the router of Figure 1 detects, in a first stage (1) the MAC address (10) of the active device (101), that is, one of the devices of the series of user devices (101, 102, 103, 104) who intends to make use of the network. Subsequently, in a second stage (2) it performs an authorization of the MAC address (10) of the active device 20 (101), that is, it determines whether the MAC address (10) of said device corresponds to
alguna de las direcciones MAC almacenadas en una tabla de direcciones de usuarios permitidos del enrutador. Si se realiza la autorizacion MAC (21), es decir, se determina que la direccion MAC (10) del dispositivo corresponde con alguna de las direcciones almacenadas en el enrutador, entonces se procede a dar paso a una tercera etapa (3) en la 25 que se realiza una autorizacion de usuario. En caso contrario, se deniega el acceso (2000).any of the MAC addresses stored in a table of allowed user addresses of the router. If the MAC authorization (21) is carried out, that is, it is determined that the MAC address (10) of the device corresponds to any of the addresses stored in the router, then a third stage (3) is given step in the 25 that a user authorization is made. Otherwise, access is denied (2000).
En dicha tercera etapa (3) se pretende identificar al usuario que esta haciendo uso del equipo autorizado para entrar a la red, sin embargo, en realizaciones particulares de la presente invencion, esta autorizacion no es necesaria para todas las direcciones MAC de los 30 dispositivos usuarios en cuanto a que habra dispositivos como, por ejemplo, impresoras, fax, escaner, etc. para los que no hace falta realizar esta autorizacion de usuario.In said third stage (3) it is intended to identify the user who is using the authorized equipment to enter the network, however, in particular embodiments of the present invention, this authorization is not necessary for all MAC addresses of the 30 devices users in terms of devices such as printers, fax machines, scanners, etc. For those who do not need to perform this user authorization.
Sin embargo, la presente invencion contempla que el enrutador comprende una tabla de autorizacion de usuarios en la que, para al menos una de las direcciones MAC almacenadasHowever, the present invention contemplates that the router comprises a user authorization table in which, for at least one of the stored MAC addresses
55
1010
15fifteen
20twenty
2525
3030
en la tabla de direcciones de usuarios permitidos, se dispone de al menos un nombre de usuario y una contrasena para identificar, ademas del equipo que se conecta a la red, al usuario que esta haciendo uso de ese equipo.in the table of allowed user addresses, at least one username and password are available to identify, in addition to the equipment that is connected to the network, the user who is making use of that equipment.
De manera que si se ha realizado la identification del usuario (31), se procede a una cuarta etapa (4) de restriction horaria y, en caso de una identificacion incorrecta (31) se procede a denegar el acceso (2000) a la red.So if the user identification (31) has been carried out, a fourth stage (4) of time restriction is carried out and, in case of an incorrect identification (31), the access (2000) to the network is denied .
En cuanto a la cuarta etapa (4) de restriccion horaria, la realization de la figura 1 contempla que para al menos uno de los usuarios exista un parametro de restriccion horaria que puede ser implementado como un parametro adicional de la tabla de autorizacion de usuarios o como una tabla independiente de restricciones horarias.Regarding the fourth stage (4) of time restriction, the realization of Figure 1 contemplates that for at least one of the users there is a time restriction parameter that can be implemented as an additional parameter of the user authorization table or as an independent table of time restrictions.
Esta restriccion horaria pretende que, en el enrutador, se disponga de permisos determinados para cada uno de los usuarios, por ejemplo, uno de los usuarios debe tener acceso unicamente durante parte de la jornada laboral a ciertos recursos como impresoras, etc. para organizar el trabajo en una oficina o, en otro ejemplo, se puede disponer de un control infantil de manera que si se accede con la contrasena de un usuario infantil solo se tiene acceso a internet hasta una hora determinada y, una vez se excede dicha hora, se tiene un acceso restringido a los recursos. En el caso del control infantil, este acceso restringido a recursos puede ser, por ejemplo, que no se tiene acceso a internet pero si a los recursos de la red interna tales como impresoras, escaner, etc.This time restriction means that, on the router, certain permissions are available for each of the users, for example, one of the users must have access only during part of the working day to certain resources such as printers, etc. to organize the work in an office or, in another example, a child control can be available so that if you access with the password of a child user you only have access to the internet until a certain time and, once this is exceeded Now, you have restricted access to resources. In the case of child control, this restricted access to resources can be, for example, that there is no access to the internet but to internal network resources such as printers, scanners, etc.
Adicionalmente, la presente invention contempla que, ademas de la restriccion horaria, el metodo de la presente invencion permite incorporar mecanismos adicionales de restriccion como, por ejemplo, una quinta etapa (5) en la que se disponen restricciones adicionales, tales como, restringir el acceso mediante ciertos puertos, protocolos de comunicacion, a ciertas paginas web, entre otros.Additionally, the present invention contemplates that, in addition to the time restriction, the method of the present invention allows the incorporation of additional restriction mechanisms such as, for example, a fifth stage (5) in which additional restrictions are provided, such as, restricting the access through certain ports, communication protocols, to certain web pages, among others.
Una vez se ha definido el nivel de acceso para el usuario y si se determina que no dispone de restriccion alguna se le puede otorgar acceso a la red (1000). En caso contrario, se deniega el acceso (2000)Once the level of access for the user has been defined and if it is determined that there is no restriction, it can be granted access to the network (1000). Otherwise, access is denied (2000)
La figura 2 muestra un diagrama de flujo de una segunda realizacion de la presenteFigure 2 shows a flow chart of a second embodiment of the present
invention.invention.
En dicha realization, se dispone una primera etapa (1) de entrada de datos, en esta caso, se disponen como entradas al diagrama de flujo la direction MAC del dispositivo que 5 pretende conectarse a la red, y datos de configuration que comprenden una tabla de direcciones de usuarios permitidos, una tabla de autorizacion de usuarios y, en este ejemplo particular, se dispone una tabla de restriction horaria y una tabla de restricciones adicionales.In said embodiment, a first step (1) of data entry is provided, in this case, the MAC address of the device that is intended to be connected to the network, and configuration data comprising a table are arranged as inputs to the flow chart. of allowed user addresses, a user authorization table and, in this particular example, a time restriction table and an additional restrictions table are provided.
10 Una vez se detectan los datos de entrada, se procede a una segunda etapa (2) de autorizacion MAC en la que se determina si la direccion MAC de la primera etapa (1) corresponde con una de las direcciones MAC de la tabla de direcciones de usuarios permitidos. Si dicha direccion MAC corresponde a una de las direcciones almacenadas en la tabla de direcciones de usuarios permitidos, mediante un primer operador de decision (200),10 Once the input data is detected, a second MAC authorization stage (2) is carried out in which it is determined whether the MAC address of the first stage (1) corresponds to one of the MAC addresses of the address table of allowed users. If said MAC address corresponds to one of the addresses stored in the table of allowed user addresses, by means of a first decision operator (200),
15 la direccion MAC corresponde (202) con una de las direcciones almacenadas, se procede a una tercera etapa (3) de autorizacion de usuarios. Si se determina que la no- correspondencia (201) de la direccion MAC con las direcciones almacenadas, se procede a denegar el acceso (2000) a la red.15 MAC address corresponds (202) with one of the stored addresses, we proceed to a third stage (3) of user authorization. If it is determined that the non-correspondence (201) of the MAC address with the stored addresses, the access (2000) to the network is denied.
20 En la tercera etapa (3) se procede a realizar la autorizacion del usuario, es decir, se realiza al usuario una interrogation de un par nombre de usuario-contrasena. Posteriormente, si el par nombre de usuario-contrasena corresponden con los almacenados en la tabla de autorizacion de usuarios para dicha direccion MAC se determina la autenticacion (303) del usuario y, de lo contrario, se determina que no se ha autenticado un usuario autorizado y se20 In the third stage (3) the authorization of the user is carried out, that is, the user is interrogated for a username-password pair. Subsequently, if the username-password pair corresponds to those stored in the user authorization table for said MAC address, the authentication (303) of the user is determined and, otherwise, it is determined that an authorized user has not been authenticated and
25 puede proceder de dos maneras diferentes, una primera forma de actuation (301) en la que se da acceso restringido (3000) al usuario, por ejemplo, unicamente a intranet y, una segunda forma de actuacion (302) en la que procede a denegar el acceso (2000) a la red por no-autenticacion.25 can proceed in two different ways, a first form of actuation (301) in which restricted access (3000) is given to the user, for example, only to the intranet and, a second form of actuation (302) in which it proceeds to Deny access (2000) to the network for non-authentication.
30 Tras la autenticacion (303) del usuario se procede a determinar si para dicho usuario se ha definido alguna restriccion horaria mediante una cuarta etapa (4). De alli mediante un operador logico de decision se determina que es un usuario con restriccion horaria para lo que se puede escoger una primera actuacion (401) denegando el acceso o una segunda actuacion (402) otorgando un acceso restringido (3000) al usuario.After the authentication (303) of the user, it is determined whether a time restriction has been defined for said user by means of a fourth stage (4). From there, through a logical decision operator, it is determined that it is a user with a time restriction for which a first action (401) can be chosen denying access or a second action (402) granting restricted access (3000) to the user.
Si se determina que es un usuario sin restriccion horaria se procede a autorizar (403) el acceso sin restricciones horarias para el usuario.If it is determined that it is a user without time restriction, the access without time restrictions for the user is authorized (403).
Finalmente, la presente invencion contempla una quinta etapa (5) de restricciones 5 adicionales en la que se determina si para dicho usuario hay restricciones adicionales. Si se determina la existencia de una restriccion adicional (501) se otorga acceso restringido (3000) al usuario y si es un usuario para el cual se ha determinado la no-existencia de restricciones adicionales (502) se otorga acceso a la red (1000).Finally, the present invention contemplates a fifth stage (5) of additional restrictions 5 in which it is determined whether there are additional restrictions for said user. If the existence of an additional restriction (501) is determined, restricted access (3000) is granted to the user and if it is a user for whom the non-existence of additional restrictions (502) has been determined, access to the network is granted (1000 ).
10 Con el fin de otorgar mayor claridad a la presente description, la definition de acceso restringido (3000) a la red se refiere a que existe un bloqueo parcial (301), por ejemplo, se otorga acceso unicamente a internet, se deniega el acceso a protocolos determinados (por ejemplo, FTP), se deniega el acceso a determinadas paginas web, se bloquean ciertos puertos, etc. Adicionalmente, cuando se menciona que se deniega el acceso (2000) se 15 refiere a que se realiza un bloqueo total (2001) impidiendo la comunicacion del usuario, tanto con los dispositivos de la red, como con una red externa tal como internet.10 In order to give greater clarity to the present description, the definition of restricted access (3000) to the network refers to the existence of a partial block (301), for example, access to the internet is granted only, access is denied to certain protocols (for example, FTP), access to certain web pages is denied, certain ports are blocked, etc. Additionally, when it is mentioned that access is denied (2000), it refers to a complete block (2001) preventing the user's communication, both with the network devices, and with an external network such as the internet.
Claims (10)
Priority Applications (18)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES201430822A ES2552675B1 (en) | 2014-05-29 | 2014-05-29 | Routing method with security and frame-level authentication |
US15/314,381 US20170230350A1 (en) | 2014-05-29 | 2014-05-29 | Network element and method for improved user authentication in communication networks |
EP15735721.1A EP3151505B1 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communications networks |
EP15738129.4A EP3151506A1 (en) | 2014-05-29 | 2015-05-29 | Improved assignment and distribution of network configuration parameters to devices |
MX2016015592A MX359691B (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communication networks. |
KR1020167035995A KR20170016878A (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved user authentication in communication networks |
KR1020167035695A KR20170013298A (en) | 2014-05-29 | 2015-05-29 | Improved assignment and distribution of network configuration parameters to devices |
PCT/ES2015/070422 WO2015181430A1 (en) | 2014-05-29 | 2015-05-29 | Improved assignment and distribution of network configuration parameters to devices |
PT157357211T PT3151505T (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communications networks |
US15/314,725 US10257186B2 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communication networks |
PCT/ES2015/070423 WO2015181431A1 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communication networks |
KR1020167035843A KR20170015340A (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communication networks |
ES15735721.1T ES2673938T3 (en) | 2014-05-29 | 2015-05-29 | Procedure and network element for improved access to communication networks |
US15/314,915 US10129246B2 (en) | 2014-05-29 | 2015-05-29 | Assignment and distribution of network configuration parameters to devices |
EP15735720.3A EP3151144A1 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved user authentication in communication networks |
AU2015265782A AU2015265782B2 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved access to communication networks |
CA2950677A CA2950677A1 (en) | 2014-05-29 | 2015-05-29 | Network element and method for improved access to communication networks |
PCT/ES2015/070421 WO2015181429A1 (en) | 2014-05-29 | 2015-05-29 | Method and network element for improved user authentication in communication networks |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
ES201430822A ES2552675B1 (en) | 2014-05-29 | 2014-05-29 | Routing method with security and frame-level authentication |
Publications (2)
Publication Number | Publication Date |
---|---|
ES2552675A1 true ES2552675A1 (en) | 2015-12-01 |
ES2552675B1 ES2552675B1 (en) | 2016-10-10 |
Family
ID=53525204
Family Applications (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
ES201430822A Expired - Fee Related ES2552675B1 (en) | 2014-05-29 | 2014-05-29 | Routing method with security and frame-level authentication |
ES15735721.1T Active ES2673938T3 (en) | 2014-05-29 | 2015-05-29 | Procedure and network element for improved access to communication networks |
Family Applications After (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
ES15735721.1T Active ES2673938T3 (en) | 2014-05-29 | 2015-05-29 | Procedure and network element for improved access to communication networks |
Country Status (9)
Country | Link |
---|---|
US (3) | US20170230350A1 (en) |
EP (3) | EP3151505B1 (en) |
KR (3) | KR20170013298A (en) |
AU (1) | AU2015265782B2 (en) |
CA (1) | CA2950677A1 (en) |
ES (2) | ES2552675B1 (en) |
MX (1) | MX359691B (en) |
PT (1) | PT3151505T (en) |
WO (3) | WO2015181431A1 (en) |
Families Citing this family (64)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
DE102014107793B9 (en) * | 2014-06-03 | 2018-05-09 | Fujitsu Technology Solutions Intellectual Property Gmbh | Method of routing data between computer systems, computer network infrastructure and computer program product |
US10114351B2 (en) * | 2015-03-05 | 2018-10-30 | Google Llc | Smart-home automation system that suggests or autmatically implements selected household policies based on sensed observations |
CN106211152B (en) * | 2015-04-30 | 2019-09-06 | 新华三技术有限公司 | A kind of wireless access authentication method and device |
EP3304859A1 (en) * | 2015-05-26 | 2018-04-11 | Frigerio, Tommaso | Telecommunication system for the secure transmission of data therein and device associated therewith |
FR3038421B1 (en) * | 2015-06-30 | 2017-08-18 | Oberthur Technologies | METHOD FOR MANAGING PROFILES IN A SECURE ELEMENT |
CN106375102B (en) * | 2015-07-22 | 2019-08-27 | 华为技术有限公司 | A kind of service registration method, application method and relevant apparatus |
US10200342B2 (en) * | 2015-07-31 | 2019-02-05 | Nicira, Inc. | Dynamic configurations based on the dynamic host configuration protocol |
CN105162728B (en) * | 2015-07-31 | 2018-07-31 | 小米科技有限责任公司 | Method for network access, equipment and system |
US10237351B2 (en) * | 2015-11-23 | 2019-03-19 | Dojo-Labs Ltd | Sub-networks based security method, apparatus and product |
FR3044848B1 (en) * | 2015-12-03 | 2019-08-23 | Overkiz | METHOD FOR CONFIGURING, CONTROLLING OR SUPERVISING A DOMOTIC FACILITY |
US10044674B2 (en) * | 2016-01-04 | 2018-08-07 | Afero, Inc. | System and method for automatic wireless network authentication in an internet of things (IOT) system |
US10212167B2 (en) * | 2016-02-27 | 2019-02-19 | Gryphon Online Safety, Inc. | Method and system to enable controlled safe internet browsing |
US11301572B2 (en) | 2016-02-27 | 2022-04-12 | Gryphon Online Safety, Inc. | Remotely controlling access to online content |
US10440025B2 (en) | 2016-06-07 | 2019-10-08 | Gryphon Online Safety, Inc | Remotely controlling access to online content |
US10353880B2 (en) * | 2016-03-14 | 2019-07-16 | Wipro Limited | System and method for governing performances of multiple hardware devices |
US11108816B2 (en) * | 2016-03-17 | 2021-08-31 | Johann Schlamp | Constructible automata for internet routes |
US10547588B2 (en) * | 2016-04-30 | 2020-01-28 | Nicira, Inc. | Method of translating a logical switch into a set of network addresses |
EP3253020A1 (en) * | 2016-06-03 | 2017-12-06 | Gemalto Sa | A method and an apparatus for publishing assertions in a distributed database of a mobile telecommunication network |
US10645057B2 (en) * | 2016-06-22 | 2020-05-05 | Cisco Technology, Inc. | Domain name system identification and attribution |
US20180013618A1 (en) * | 2016-07-11 | 2018-01-11 | Aruba Networks, Inc. | Domain name system servers for dynamic host configuration protocol clients |
US10397303B1 (en) * | 2016-08-29 | 2019-08-27 | Amazon Technologies, Inc. | Semantic annotation and translations for devices |
DE102016116077A1 (en) | 2016-08-29 | 2018-03-01 | Unify Patente Gmbh & Co. Kg | A method for assigning a MAC address to a communication device in a network environment and database with MAC addresses |
US10097517B2 (en) * | 2016-09-01 | 2018-10-09 | Cybersight, Inc. | Secure tunnels for the internet of things |
US11405201B2 (en) | 2016-11-10 | 2022-08-02 | Brickell Cryptology Llc | Secure transfer of protected application storage keys with change of trusted computing base |
US11398906B2 (en) | 2016-11-10 | 2022-07-26 | Brickell Cryptology Llc | Confirming receipt of audit records for audited use of a cryptographic key |
US10498712B2 (en) | 2016-11-10 | 2019-12-03 | Ernest Brickell | Balancing public and personal security needs |
US10855465B2 (en) | 2016-11-10 | 2020-12-01 | Ernest Brickell | Audited use of a cryptographic key |
US10652245B2 (en) | 2017-05-04 | 2020-05-12 | Ernest Brickell | External accessibility for network devices |
EP3619632A4 (en) * | 2017-05-04 | 2021-04-07 | Ernest Brickell | Assuring external accessibility for devices on a network |
US10348706B2 (en) | 2017-05-04 | 2019-07-09 | Ernest Brickell | Assuring external accessibility for devices on a network |
US10129255B1 (en) | 2017-05-12 | 2018-11-13 | International Business Machines Corporation | Device authentication with MAC address and time period |
US10419445B2 (en) * | 2017-07-03 | 2019-09-17 | Sap Se | Credential change management system |
US10609064B2 (en) * | 2017-07-06 | 2020-03-31 | Bank Of America Corporation | Network device access control and information security |
KR102646526B1 (en) | 2017-09-08 | 2024-03-13 | 콘비다 와이어리스, 엘엘씨 | Automated service enrollment in a machine-to-machine communications network |
US10887316B2 (en) | 2017-10-27 | 2021-01-05 | Cleverdome, Inc. | Software defined network for creating a trusted network system |
FR3076142A1 (en) * | 2017-12-21 | 2019-06-28 | Bull Sas | METHOD AND SERVER OF TOPOLOGICAL ADDRESS ALLOCATION TO NETWORK SWITCHES, COMPUTER PROGRAM AND CLUSTER OF CORRESPONDING SERVERS |
US20190215368A1 (en) * | 2018-01-06 | 2019-07-11 | Jacqueline Thanh-Thao Do | Internet of Things (“IoT”)-Enabled Toothbrush Device to Monitor Human Vital Signs |
WO2019194787A1 (en) * | 2018-04-02 | 2019-10-10 | Visa International Service Association | Real-time entity anomaly detection |
US10855674B1 (en) * | 2018-05-10 | 2020-12-01 | Microstrategy Incorporated | Pre-boot network-based authentication |
US11290459B2 (en) * | 2018-05-15 | 2022-03-29 | Lenovo Enterprise Solutions (Singapore) Pte. Ltd. | Granting guest devices access to a network using out-of-band authorization |
US11068600B2 (en) * | 2018-05-21 | 2021-07-20 | Kct Holdings, Llc | Apparatus and method for secure router with layered encryption |
US11212178B2 (en) * | 2018-06-05 | 2021-12-28 | Toshiba Client Solutions CO., LTD. | Control system, electronic device, and control method |
US10938821B2 (en) * | 2018-10-31 | 2021-03-02 | Dell Products L.P. | Remote access controller support registration system |
CN109286637B (en) * | 2018-11-19 | 2021-05-14 | 南京邮电大学 | Defense method for D-LinkDir series router configuration interface loophole |
US11146565B2 (en) * | 2018-11-28 | 2021-10-12 | Motorola Mobility Llc | Mobile electronic communications device having multiple device paths |
US11075877B2 (en) * | 2019-01-11 | 2021-07-27 | Charter Communications Operating, Llc | System and method for remotely filtering network traffic of a customer premise device |
US11063982B2 (en) * | 2019-01-25 | 2021-07-13 | Unisys Corporation | Object scope definition for enterprise security management tool |
US11218440B2 (en) * | 2019-04-30 | 2022-01-04 | Hewlett Packard Enterprise Development Lp | Contiguous subnet IP address allocation |
CN113692563A (en) * | 2019-06-27 | 2021-11-23 | 苹果公司 | Modifying existing content based on target audience |
KR20210065513A (en) * | 2019-11-27 | 2021-06-04 | 휴렛-팩커드 디벨롭먼트 컴퍼니, 엘.피. | Network security configuration of image forming apparatus |
JP7419973B2 (en) * | 2020-06-01 | 2024-01-23 | トヨタ自動車株式会社 | Information processing device, information processing method, program, and mobile device |
EP4173232A1 (en) * | 2020-06-29 | 2023-05-03 | Illumina, Inc. | Temporary cloud provider credentials via secure discovery framework |
CN111932780B (en) * | 2020-07-11 | 2022-03-04 | 南京理工大学 | Power management system based on block chain technology |
CN114095424A (en) * | 2020-08-07 | 2022-02-25 | 艾锐势企业有限责任公司 | Router, method for router, computer readable medium and device |
US11457012B2 (en) * | 2020-11-03 | 2022-09-27 | Okta, Inc. | Device risk level based on device metadata comparison |
US11882452B2 (en) | 2020-11-20 | 2024-01-23 | Bank Of America Corporation | Monitoring for security threats associated with mobile devices that have been identified and logged |
US11361630B1 (en) | 2020-11-20 | 2022-06-14 | Bank Of America Corporation | Identifying and logging mobile devices posing security threats |
US11601399B2 (en) | 2021-01-20 | 2023-03-07 | Bank Of America Corporation | System and method for detecting forbidden network accesses based on zone connectivity mapping |
US11949652B2 (en) | 2021-03-31 | 2024-04-02 | Samsung Electronics Co., Ltd. | Transmitting router advertisements based on identification information of external devices |
KR20220135623A (en) * | 2021-03-31 | 2022-10-07 | 삼성전자주식회사 | Electronic device for allocating ip address of an external electronic device and method for the same |
KR102479425B1 (en) * | 2021-06-18 | 2022-12-20 | 주식회사 이너트론 | Method and apparatus for detecting and blocking illegal devices in wired and wireless networks |
US11929981B2 (en) * | 2021-09-15 | 2024-03-12 | Honeywell International Inc. | Batch assignment of IP addresses in a building control network |
CN114979738B (en) * | 2022-05-17 | 2023-03-14 | 深圳市旭联信息技术有限公司 | Wireless screen projection method, receiver and storage medium |
CN115208683B (en) * | 2022-07-26 | 2023-05-26 | 北京航天驭星科技有限公司 | Authority distribution method and authority distribution device based on space cloud service |
Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030220994A1 (en) * | 2002-02-28 | 2003-11-27 | Chunrong Zhu | Wireless network access system and method |
US20060137005A1 (en) * | 2004-12-16 | 2006-06-22 | Samsung Electronics Co., Ltd. | System for and method of authenticating device and user in home network |
US20080209071A1 (en) * | 2006-12-18 | 2008-08-28 | Fujitsu Limited | Network relay method, network relay apparatus, and network relay program |
US7568092B1 (en) * | 2005-02-09 | 2009-07-28 | Sun Microsystems, Inc. | Security policy enforcing DHCP server appliance |
US7574202B1 (en) * | 2006-07-21 | 2009-08-11 | Airsurf Wireless Inc. | System and methods for a secure and segregated computer network |
EP2667664A1 (en) * | 2012-05-25 | 2013-11-27 | Comcast Cable Communications, LLC | Method and devices for providing access to public and private wireless networks |
Family Cites Families (13)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6393484B1 (en) * | 1999-04-12 | 2002-05-21 | International Business Machines Corp. | System and method for controlled access to shared-medium public and semi-public internet protocol (IP) networks |
US6981143B2 (en) * | 2001-11-28 | 2005-12-27 | International Business Machines Corporation | System and method for providing connection orientation based access authentication |
US7533412B2 (en) * | 2002-04-23 | 2009-05-12 | Stmicroelectronics S.A. | Processor secured against traps |
US7249187B2 (en) * | 2002-11-27 | 2007-07-24 | Symantec Corporation | Enforcement of compliance with network security policies |
US7735114B2 (en) * | 2003-09-04 | 2010-06-08 | Foundry Networks, Inc. | Multiple tiered network security system, method and apparatus using dynamic user policy assignment |
WO2005091159A1 (en) * | 2004-03-24 | 2005-09-29 | Exers Technologies. Inc. | Authentication system being capable of controlling authority based of user and authenticator. |
US20070220252A1 (en) * | 2005-06-06 | 2007-09-20 | Sinko Michael J | Interactive network access controller |
US7966650B2 (en) | 2008-02-22 | 2011-06-21 | Sophos Plc | Dynamic internet address assignment based on user identity and policy compliance |
US8891358B2 (en) * | 2008-10-16 | 2014-11-18 | Hewlett-Packard Development Company, L.P. | Method for application broadcast forwarding for routers running redundancy protocols |
US9047458B2 (en) * | 2009-06-19 | 2015-06-02 | Deviceauthority, Inc. | Network access protection |
US9119070B2 (en) | 2009-08-31 | 2015-08-25 | Verizon Patent And Licensing Inc. | Method and system for detecting unauthorized wireless devices |
US8745758B2 (en) * | 2009-11-02 | 2014-06-03 | Time Warner Cable Enterprises Llc | Apparatus and methods for device authorization in a premises network |
WO2014039047A1 (en) * | 2012-09-07 | 2014-03-13 | Nokia Corporation | Methods and apparatus for network sharing control |
-
2014
- 2014-05-29 ES ES201430822A patent/ES2552675B1/en not_active Expired - Fee Related
- 2014-05-29 US US15/314,381 patent/US20170230350A1/en not_active Abandoned
-
2015
- 2015-05-29 US US15/314,915 patent/US10129246B2/en not_active Expired - Fee Related
- 2015-05-29 MX MX2016015592A patent/MX359691B/en active IP Right Grant
- 2015-05-29 EP EP15735721.1A patent/EP3151505B1/en not_active Not-in-force
- 2015-05-29 US US15/314,725 patent/US10257186B2/en not_active Expired - Fee Related
- 2015-05-29 WO PCT/ES2015/070423 patent/WO2015181431A1/en active Application Filing
- 2015-05-29 AU AU2015265782A patent/AU2015265782B2/en not_active Ceased
- 2015-05-29 KR KR1020167035695A patent/KR20170013298A/en unknown
- 2015-05-29 KR KR1020167035995A patent/KR20170016878A/en unknown
- 2015-05-29 EP EP15735720.3A patent/EP3151144A1/en not_active Withdrawn
- 2015-05-29 PT PT157357211T patent/PT3151505T/en unknown
- 2015-05-29 KR KR1020167035843A patent/KR20170015340A/en not_active Application Discontinuation
- 2015-05-29 EP EP15738129.4A patent/EP3151506A1/en not_active Withdrawn
- 2015-05-29 ES ES15735721.1T patent/ES2673938T3/en active Active
- 2015-05-29 WO PCT/ES2015/070422 patent/WO2015181430A1/en active Application Filing
- 2015-05-29 WO PCT/ES2015/070421 patent/WO2015181429A1/en active Application Filing
- 2015-05-29 CA CA2950677A patent/CA2950677A1/en not_active Abandoned
Patent Citations (6)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20030220994A1 (en) * | 2002-02-28 | 2003-11-27 | Chunrong Zhu | Wireless network access system and method |
US20060137005A1 (en) * | 2004-12-16 | 2006-06-22 | Samsung Electronics Co., Ltd. | System for and method of authenticating device and user in home network |
US7568092B1 (en) * | 2005-02-09 | 2009-07-28 | Sun Microsystems, Inc. | Security policy enforcing DHCP server appliance |
US7574202B1 (en) * | 2006-07-21 | 2009-08-11 | Airsurf Wireless Inc. | System and methods for a secure and segregated computer network |
US20080209071A1 (en) * | 2006-12-18 | 2008-08-28 | Fujitsu Limited | Network relay method, network relay apparatus, and network relay program |
EP2667664A1 (en) * | 2012-05-25 | 2013-11-27 | Comcast Cable Communications, LLC | Method and devices for providing access to public and private wireless networks |
Also Published As
Publication number | Publication date |
---|---|
KR20170013298A (en) | 2017-02-06 |
AU2015265782B2 (en) | 2018-12-06 |
US20170230350A1 (en) | 2017-08-10 |
KR20170015340A (en) | 2017-02-08 |
KR20170016878A (en) | 2017-02-14 |
EP3151505A1 (en) | 2017-04-05 |
MX2016015592A (en) | 2017-07-13 |
US10257186B2 (en) | 2019-04-09 |
EP3151506A1 (en) | 2017-04-05 |
ES2673938T3 (en) | 2018-06-26 |
US20170187703A1 (en) | 2017-06-29 |
ES2552675B1 (en) | 2016-10-10 |
AU2015265782A1 (en) | 2016-12-22 |
EP3151505B1 (en) | 2018-03-28 |
US20170195162A1 (en) | 2017-07-06 |
EP3151144A1 (en) | 2017-04-05 |
MX359691B (en) | 2018-10-04 |
WO2015181431A1 (en) | 2015-12-03 |
US10129246B2 (en) | 2018-11-13 |
PT3151505T (en) | 2018-06-29 |
CA2950677A1 (en) | 2015-12-03 |
WO2015181430A1 (en) | 2015-12-03 |
WO2015181429A1 (en) | 2015-12-03 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
ES2552675B1 (en) | Routing method with security and frame-level authentication | |
ES2337437B2 (en) | S NETWORK INSURANCE BASED ON CONTEXTOPROCEDIMENT AND SYSTEM TO CONTROL WIRELESS ACCESS TO RESOURCE. | |
US7840763B2 (en) | Methods and systems for achieving high assurance computing using low assurance operating systems and processes | |
CN107820604B (en) | Para-virtualized security threat protection for computer driven systems with networked devices | |
ES2922413T3 (en) | Protection of data in memory of a consumable product | |
ES2748912T3 (en) | Device and procedure for managing the access rights to a wireless network | |
ES2947385T3 (en) | Method and system to control the security of users who browse the Internet | |
US20120324533A1 (en) | Wireless network having multiple security interfaces | |
US10878134B2 (en) | Technologies for controlling memory access transactions received from one or more I/O devices | |
ES2687351T3 (en) | Network flow control device and security strategy configuration method and device | |
US20150381610A1 (en) | Location-based data security | |
Wang et al. | Towards a security-enhanced firewall application for openflow networks | |
US11005852B2 (en) | System and method for securing electronic devices | |
US11528270B2 (en) | Network authorization in web-based or single sign-on authentication environments | |
Peters et al. | BASTION-SGX: Bluetooth and architectural support for trusted I/O on SGX | |
Rios et al. | From SMOG to Fog: a security perspective | |
CN103905402B (en) | A kind of secret and safe management method based on safety label | |
BR112020020401A2 (en) | DISABLED SECURE INTERFACE | |
US11165773B2 (en) | Network device and method for accessing a data network from a network component | |
CN104579735A (en) | Router security management method | |
KR102075514B1 (en) | Network security unit for a vehicle | |
ES2514365T3 (en) | Industrial automation system and method for its protection | |
ES2909011T3 (en) | Systems and methods for receiving and transmitting communication signals | |
Rathod et al. | Roll of distributed firewalls in local network for data Security | |
KR20170017860A (en) | Network virtualization system based of network vpn |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
PC2A | Transfer of patent |
Owner name: JOSE ANTONIO ENRIQUE SALPICO Effective date: 20141009 |
|
PC2A | Transfer of patent |
Owner name: TECTECO SECURITY SYSTEMS, S.L. Effective date: 20150624 |
|
FG2A | Definitive protection |
Ref document number: 2552675 Country of ref document: ES Kind code of ref document: B1 Effective date: 20161010 |
|
FD2A | Announcement of lapse in spain |
Effective date: 20220701 |